Home / malware Trojan:Win32/EyeStye
First posted on 02 October 2012.
Source: MicrosoftAliases :
Trojan:Win32/EyeStye is also known as Win-Trojan/Pincav.125952.B (AhnLab), Win32/SpyEye.B (CA), Trojan.Win32.Pincav.rvy (Kaspersky), BackDoor-Spyeye (McAfee), Mal/Spyeye-A (Sophos), Trojan.SpyEYE (Symantec), TSPY_EYEBOT.SMA (Trend Micro), EyeSpy (other).
Explanation :
Trojan:Win32/EyeStye is a trojan that captures keystrokes and steals login credentials through a method known as "form grabbing". Trojan:Win32/EyeStye sends captured data to a remote attacker, may download additional malicious components, and may use a rootkit component to hide malicious activity.
Installation The trojan may be installed by other malware such as TrojanDropper:Win32/EyeStye. In the wild, we have observed the trojan dropping files in the directory in which it's executed, using the following file name format: %CurrentDirectory%\<filename>.exe\<filename>.exe Where <filename> may be, but is not limited to, any of the following:When executed, the trojan creates the mutex to ensure only one instance of the trojan executes. In the wild, we have observed the trojan using the following mutexes:
- cleansweep.exe
- windowseep.exe
- systemhost.exe
- mssetupers.exe
- msixxxxxxx.exe
- systemrxxt.exe
- cleanswepx.exe
- malacuxatx.exe
- fheydbueyj.exe
- windowsxxx.exe
- portwexexe.exe
- bofabotxxx.exe
- cxlacuxatx.exe
- googlemaps.exe
- windowsdvd.exe
- ciaxxxxxxx.exe
- onweretetr.exe
- moneyxmexx.exe
- wlcwlcwlcw.exe
- shitspykid.exe
- rundllxxxx.exe
- jdsfjsdijf.exe
- usxxxxxxxx.exe
- inetserver.exe
- intelcored.exe
- bbbxxxxxxx.exe
- defenderxx.exe
- bootstartx.exe
- mdnsrespon.exe
- winstackxx.exe
If found, the trojan will delete any old copies of itself from the affected computer. The trojan makes the following registry modifications to endure its copy executes at each system start: In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Sets value: "<filename>.exe€ With data: "%CurrentDirectory%\<filename>.exe\<filename>.exe€ The trojan injects malicious code into running processes and newly created processes, however, it avoids injecting code into the following system processes:
- __SPYNET__
- __INDDNI__
- __WINNET__
- __mytmsi__
- __pipent__
- __Window__
- __efryhu__
- __ViXyzp__
- __spnxxx__
- __SYSTEM__
- __usxxxx__
- __twxter__
- __mynetx__
- __pitizK__
- __GOLNET__
- __CIAxxx__
- __INTSRV__
- __Intell__
- __Readme__
- __vmware__
- __mnetxx__
- __spykid__
- __smssxx__
- __wlcwlc__
- __xxxxxx__
- __BIGNVx__
- __settin__
- __mutxxx__
- __diuhgu__
- __MSCSRV__
- __austxx__
- __romxca__
- __oaiweo__
- __intern__
- __oigeiw__
- __dorodr__
- __rrrrrr__
- __plugin__
- __MKOLNE__
- __pqoerw__
- __dwadhx__
- __CASSIE__
- __austrx__
- __GOLTEL__
- __mutnam__
- __ZSnetD__
- __aoeiuw__
Payload Hides files and registry data Win32/EyeStye employs a user-mode rootkit that hooks the following low-level APIs to hide its malicious files and directory and registry data:
- system
- smss.exe
- csrss.exe
- <malware executable>
Captures sensitive data The trojan hooks several system APIs to capture login information, such as form data and keystrokes. Win32/EyeStye hooks the following APIs:
- NtQueryDirectoryFile
- NtVdmControl
- NtEnumerateValueKey
By hooking the APIs mentioned above, the trojan can also inject malicious code into existing and new processes and monitor the loading of DLLs. Commonly, the trojan will download additional components to add extra functionality, such as Worm:Win32/EyeStye.A and Worm:Win32/EyeStye.B. Sends captured data to a remote server The trojan attempts to send captured data via HTTP post to a remote server. In the wild, we have observed this trojan connecting to one of the following remote servers:
- TranslateMessage
- NtResumeThread
- LdrLoadDll
- InternetCloseHandle
- HttpSendRequestA
- HttpSendRequestW
- PR_Write
- send
While sending captured data, it may include the following other information:
- microsoft-windows-security.com (not a Microsoft.com domain)
- vinodelam.net
- overclock.osa.pl
- qualitaetvorun.org
- svetodioduk.net
- rtjhteyjtyjtyj.orge.pl
- airiston.net
- superboy999.ru
- vertime.ru
- bettasbreed.co.cc
- nusofttechnologies.info
- svetodioduk2.com
- fieldsoflove.cc
- fightforce.cc
- totalhidden.cc
- feldmar.ru
- lyambosok.ru
- picomarkets.ru
- primedyl.com
- domain391.org
- securegateonline.com
- reg.kygalu.ru
- domain191.org
- black-hosting.ru
- hfhfhfhfee.com
Download updates and arbitrary files Once connected to the attacker's website and depending on the command, Trojan:Win32/EyeStye may update and execute the trojan itself as the following: %CurrentDirectory% \<filename>.exe\<filename>upd.exe It may also update a configuration file in ZIP archive format as the following: %CurrentDirectory% \<filename>.exe\config.bin The trojan communicates via a mutexes named "__<MUTEX NAME>_UNINSTALL__" and "__<MUTEX NAME>_RELOADCFG__" to instruct existing instances of malicious code in memory to reload data, uninstall, etc from the new configuration file. This allows the trojan and associated components to change the target server.
- Bot guid - unique identifier associated with the trojan
- User name
- Computer name
- Volume serial number
- Process name associated with captured data
- Name of hooked API function (for example PR_Write)
- Captured raw data
- Keys, logged keystrokes
- Other information specific to computer locale such as:
- Local time
- Time zone
- Operating system version
- Language
Analysis by Rodel Finones and Matt McCormackLast update 02 October 2012